Seoul Mulls ID Card Overhaul After Series of Catastrophic Breaches

The South Korean authorities are considering a massive overhaul of the country’s identity card system after crippling data breaches in recent years exposed the majority of citizens’ unique ID numbers to criminals.

The government’s admission will be a huge blow not only financially to the south-east Asian tiger but also to its hi-tech credentials. South Korea regularly comes out first globally in terms of broadband and smartphone penetration and was named top of the UN’s ICT Development Index for two years in a row.

The decision to reconsider whether the entire ID card system must be rebuilt was taken after a major breach in January this year affecting nearly half of the country, including president Park Geun-hye, according to AP.

Citing unnamed “experts”, the report claims that ID numbers of an estimated 80% of the population have been stolen from banks and other sources since 2004.

In the past three years alone, big name breaches have affected a large majority of the nation. In 2011, social networking site Cyworld and portal Nate were struck in an attack hitting 35 million accounts.

Then in January this year there was the aforementioned KCB attack, which affected 20 million South Koreans, and most recently in August another breach was discovered exposing personal information on 27 million.

There are approximately 50 million people living in South Korea.

Part of the problem appears to lie with the fact that the ID card system – ironically created in the 1960s by the current president’s autocratic father – is not fit for the internet age. For example, credentials consist of the user’s birth date, followed by a “1” for male and “2” for female, then other details.

As users are not allowed to change their ID numbers, once hackers get hold of these they effectively have a free pass to commit ID fraud and other online scams.

A new ID card system would set the government back about $650m, a ministry spokesperson told AP, but the knock-on effect as businesses are forced to redesign systems could apparently run into the billions.

James Lyne, global head of security research at Sophos, told Infosecurity that although many people focus on government repositories as a potential point of security weakness, it is often breaches of businesses that end up exposing sensitive data. 

"As governments re-factor identity systems they should consider how citizens can validate the systems they are connecting to when they want to hand over data and streamlining the processes for citizens that have their information breached," he added.

"Naturally, some of the greatest security advances in this area could come from better security awareness and education rather than technical countermeasures.  That said, using encryption and identity technology correctly could make it much harder for attackers to steal digital citizen identity data and to validate the security of the transaction."

What’s Hot on Infosecurity Magazine?